Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Christopher Morrow <morrowc.lists@gmail.com> Tue, 04 December 2018 20:17 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2443E130E3C; Tue, 4 Dec 2018 12:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxLsJzrANMNX; Tue, 4 Dec 2018 12:17:45 -0800 (PST)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8E612F1AB; Tue, 4 Dec 2018 12:17:45 -0800 (PST)
Received: by mail-it1-x132.google.com with SMTP id b5so16540164iti.2; Tue, 04 Dec 2018 12:17:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NMHFzN1cvcghWgJb3Z8DYwame2bS0CwI9GV1983uQU0=; b=HUeToHhgXdMK7wX34lD7p5oVm5FMh0+CigZDEWa9l1k5PdeB8w/pnPPJ2UJ4i2bkmo QIGZb7ksjYotGKJvKFe34Lz3v5cpklWDBqgQ6IxY2+VM3C1jBHZp9yQDcRDwD4NlvRSs 7hOMNnfsusE1Hm68WDAOPfrpphiwaIRtCBuLuY+6xnS5q2tX2nbvNPI/KV3adRWZakVK j+V8d8aRc4TF5Yhj5h+3F2lYhbBqwN9raawJs28Ubo2yKYZQapV1amnBYPYrG7KYZKwt Bd9ZLtaIyzR1nCcSHusP//wd8EpgLRAtL95DUwgPwshFvtqbHi3CAvYy5mEch21OxkoO qO0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NMHFzN1cvcghWgJb3Z8DYwame2bS0CwI9GV1983uQU0=; b=DooENNJiVmd5JKDJoPKA2gp6X1cY5dtMqsfhOWEq5A3Lu1mHmSeYSG+eagZ+k9FFF8 lbesD2J7VNHRptbIVW6Uw6zx+Hsw6xDzJIPVd82c+rjAxVEs1unedZVyzpsnXT67g40m UEIGi8xTWqaSyn+iTfF1VmreuCzVwsseM1gpe0pU5U31A9eQ2WnA0pH7KR2h+M6POzp4 LJgU3AvAFLnplJ7GzBNE8cacLOPDXzUsxqn+TrJG8ruXSPrmU0Nqko5HmqIu3SRCycZE 1stqs/Ua4z3J2u/+UdJVxe2M0zNkbTVZH6Wwa/tIGIsjUa9Dxq4hdFk4K9mJ3FW0RRDk vJQQ==
X-Gm-Message-State: AA+aEWaZSlo61N8I9g5z+yG+obsHddolAnMxPriY8HM4szzkdOXINpOA 1Vdtwc7k8TcdXRjqH0g8JhygMs1sfgrsH04hbIM=
X-Google-Smtp-Source: AFSGD/XRjxhWRsH4bS4BA7nunoEwV6dNVcF76yYGsRm/9/V5YRahYn7t8HQKQ1LxC4gyYjkgwQYcDk2X2gt7l6o3HQM=
X-Received: by 2002:a24:d08d:: with SMTP id m135mr12628991itg.89.1543954664491; Tue, 04 Dec 2018 12:17:44 -0800 (PST)
MIME-Version: 1.0
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com> <20181126075746.GO72840@Space.Net> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com>
In-Reply-To: <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 04 Dec 2018 15:17:33 -0500
Message-ID: <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, tsv-art@ietf.org, opsec wg mailing list <opsec@ietf.org>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, Nick Hilliard <nick@foobar.org>
Content-Type: multipart/alternative; boundary="00000000000053907b057c37f51e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/5xd79DjWrsyyj_Nf3dPFRFDLXYQ>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 20:17:48 -0000
On Tue, Nov 27, 2018 at 5:40 AM Joe Touch <touch@strayalpha.com> wrote: > Take that to the standards wg. Don’t stick your head in the sand and try > to do an end run in ops. And don’t call any of this a security issue that > it isn’t. > > > Joe, I think one of the 3 pillars of security is: "Availability" (the other two are 'Confidentiality' and 'Integrity') I think the point that Nick and Gert are outlining is that if the case is that the hardware available will have no fast-path processing for packets with obtuse patterns or sets of extension headers those packets will get sent to the control-plane (slow-path). That slow-path being congested will cause availability problems. Actually, whether or not the control-plane fails under such load may not even matter, if the rate-limiting of the packets here is such that (as gert said) all but a trickle of the interesting packets are forwarded. A solution might be to have a mode where a router may just ignore all headers except the src/dst-ip and simply forward all packets, trusting that the conversing adults will sort out problems with unknown/new/experimental headers or with a tortured ordering of headers (for instance). This will also cause some operational headaches: "Please drop all traffic toward ipX with protoY and dst-port Z" but perhaps it's still acceptable to some folk to operate like this?
- [Tsv-art] Tsvart last call review of draft-ietf-o… Michael Scharf
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Eric Rescorla
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Benjamin Kaduk
- Re: [Tsv-art] Tsvart last call review of draft-ie… Mark Andrews
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] Tsvart last call review of draft-ie… C. M. Heard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christopher Morrow
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Mark Andrews
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … David Farmer
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Randy Bush
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christian Huitema
- [Tsv-art] HbH flags [Tsvart last call review of d… Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Brian E Carpenter
- [Tsv-art] game over, EH [Tsvart last call review … Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- [Tsv-art] ECMP [Tsvart last call review of draft-… Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Brian E Carpenter
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stephen Farrell
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] HbH flags [Tsvart last call… Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Brian Trammell (IETF)
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] HbH flags [Tsvart last call review … Ole Troan
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Ole Troan
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] HbH flags [Tsvart last call review … Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Gert Doering
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Ole Troan
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Spencer Dawkins at IETF
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] [OPSEC] HbH flags [Tsvart last call… Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Ole Troan
- Re: [Tsv-art] HbH flags [Tsvart last call review … Stewart Bryant
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Smith, Donald
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] game over, EH [Tsvart last call rev… C. M. Heard
- Re: [Tsv-art] [OPSEC] game over, EH [Tsvart last … Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… C. M. Heard
- Re: [Tsv-art] [OPSEC] game over, EH [Tsvart last … Smith, Donald
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Nico Williams
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Jared Mauch
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Pete Resnick
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Nico Williams
- [Tsv-art] OT: TCP session lifetime - Re: game ove… Jared Mauch
- Re: [Tsv-art] OT: TCP session lifetime - Re: game… Nico Williams
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] OT: TCP session lifetime - Re: game… Gert Doering
- [Tsv-art] Engaging constructively [HbH flags [Tsv… Alissa Cooper
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Wes Hardaker
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Wes Hardaker
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont